coredns-utils: Apply ZSK patch

2 years ago · 47b54f3d08
parent 9863169cc0
commit 47b54f3d08
3 changed files with 224 additions and 0 deletions
--- a/projects/coredns-utils/ZSK.patch
+++ b/projects/coredns-utils/ZSK.patch
@ -0,0 +1,219 @@
+From d1174e959f8b4153ba25dd17a533a902a5ecbe62 Mon Sep 17 00:00:00 2001
+From: andrewheberle <andrewheberle@users.noreply.github.com>
+Date: Tue, 7 Jan 2020 08:33:33 +0800
+Subject: [PATCH 1/3] Add option to generate ZSK
+
+Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
+---
+ coredns-keygen/main.go | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/coredns-keygen/main.go b/coredns-keygen/main.go
+index 0bd04a8..1bbedb0 100644
+--- a/coredns-keygen/main.go
+++ b/coredns-keygen/main.go
+@@ -11,23 +11,30 @@ import (
+ )
+ 
+ var helpFlag = flag.Bool("h", false, "show short help message")
+var zskFlag = flag.Bool("zsk", false, "generate zone signing key (zsk)")
+var keyFlag uint16 = 257 // CSK/KSK
+ 
+ func main() {
+ 	flag.Usage = func() {
+ 		fmt.Fprintf(os.Stderr, "Usage of %s [OPTIONS] ZONE [ZONE]...\n", os.Args[0])
+-		fmt.Fprintf(os.Stderr, "Generate Common Signing Keys for DNSSEC.\n")
+		fmt.Fprintf(os.Stderr, "Generate Keys for DNSSEC (default is CSK/KSK).\n")
+ 		flag.PrintDefaults()
+ 	}
+ 
+ 	flag.Parse()
+-	if *helpFlag || len(os.Args[1:]) == 0 {
+	if *helpFlag || len(flag.Args()) == 0 {
+ 		flag.Usage()
+ 		return
+ 	}
+-	for _, zone := range os.Args[1:] {
+
+	if *zskFlag {
+		keyFlag = 256 // ZSK
+	}
+
+	for _, zone := range flag.Args() {
+ 		key := &dns.DNSKEY{
+ 			Hdr:       dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY},
+-			Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3,
+			Algorithm: dns.ECDSAP256SHA256, Flags: keyFlag, Protocol: 3,
+ 		}
+ 		priv, err := key.Generate(256)
+ 		if err != nil {
+-- 
+2.20.1
+
+
+From 18e1c3ac7be57b2332c4f768545f2586ba11924d Mon Sep 17 00:00:00 2001
+From: andrewheberle <andrewheberle@users.noreply.github.com>
+Date: Tue, 7 Jan 2020 08:34:40 +0800
+Subject: [PATCH 2/3] Update README for ZSK option
+
+Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
+---
+ coredns-keygen/README.md | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/coredns-keygen/README.md b/coredns-keygen/README.md
+index 195ff88..6a5d8ab 100644
+--- a/coredns-keygen/README.md
+++ b/coredns-keygen/README.md
+@@ -6,15 +6,17 @@
+ 
+ ## Description
+ 
+-*coredns-keygen* generates a Common Signing Key for the purpose of signing zones. It has no options
+-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
+*coredns-keygen* generates keys for the purpose of signing DNS zones. It has the option to
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
+ 
+ ## Syntax
+ 
+-~~~
+-coredns-keygen ZONES...
+~~~sh
+coredns-keygen [-zsk] ZONES...
+ ~~~
+ 
+* **-zsk**  generate ZSK instead of CSK/KSK
+ * **ZONES** zones it should generate keys for.
+ 
+ For each key pair the following files are created:
+@@ -27,14 +29,22 @@ For each generated key the base name of these file is printed to standard output
+ 
+ ## Examples
+ 
+-Generate keys for example.org and example.net:
+Generate CSK/KSK keys for example.org and example.net:
+ 
+-~~~
+~~~sh
+ $ coredns-keygen example.org example.net
+ Kexample.org.+013+09787
+ Kexample.net.+013+00440
+ ~~~
+ 
+Generate ZSK keys for example.org and example.net:
+
+~~~sh
+$ coredns-keygen -zsk example.org example.net
+Kexample.org.+013+00234
+Kexample.net.+013+08728
+~~~
+
+ ## Also See
+ 
+ dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
+-- 
+2.20.1
+
+
+From 667949438f59cb09d28692fe4120040b4ff8d9f4 Mon Sep 17 00:00:00 2001
+From: andrewheberle <andrewheberle@users.noreply.github.com>
+Date: Tue, 7 Jan 2020 08:39:51 +0800
+Subject: [PATCH 3/3] Update man page
+
+Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
+---
+ coredns-keygen/coredns-keygen.8 | 40 +++++++++++++++++++++++++--------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/coredns-keygen/coredns-keygen.8 b/coredns-keygen/coredns-keygen.8
+index eae220d..02116da 100644
+--- a/coredns-keygen/coredns-keygen.8
+++ b/coredns-keygen/coredns-keygen.8
+@@ -1,5 +1,5 @@
+ .\" Generated by Mmark Markdown Processer - mmark.miek.nl
+-.TH "COREDNS-KEYGEN" 8 "August 2019" "CoreDNS" "CoreDNS"
+.TH "COREDNS-KEYGEN" 8 "January 2020" "CoreDNS" "CoreDNS"
+ 
+ .SH "COREDNS-KEYGEN"
+ .SH "NAME"
+@@ -8,19 +8,22 @@
+ 
+ .SH "DESCRIPTION"
+ .PP
+-\fIcoredns-keygen\fP generates a Common Signing Key for the purpose of signing zones. It has no options
+-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
+\fIcoredns-keygen\fP generates keys for the purpose of signing DNS zones. It has the option to
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
+ 
+ .SH "SYNTAX"
+ .PP
+ .RS
+ 
+ .nf
+-coredns\-keygen ZONES...
+coredns\-keygen [\-zsk] ZONES...
+ 
+ .fi
+ .RE
+ 
+.IP \(bu 4
+\fB-zsk\fP  generate ZSK instead of CSK/KSK
+ .IP \(bu 4
+ \fBZONES\fP zones it should generate keys for.
+ 
+@@ -29,17 +32,19 @@ coredns\-keygen ZONES...
+ For each key pair the following files are created:
+ 
+ .IP \(bu 4
+-\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR, and
+\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR,
+.IP \(bu 4
+\fB\fCK<zone>.+<algorithm>+<keytag>.ds\fR for the DS RR, and,
+ .IP \(bu 4
+ \fB\fCK<zone>.+<algorithm>+<keytag>.private\fR for the private one.
+ 
+ 
+ .PP
+-For each generate key the base name of these file is printed to standard output once.
+For each generated key the base name of these file is printed to standard output once.
+ 
+ .SH "EXAMPLES"
+ .PP
+-Generate keys for example.org and example.net:
+Generate CSK/KSK keys for example.org and example.net:
+ 
+ .PP
+ .RS
+@@ -52,8 +57,25 @@ Kexample.net.+013+00440
+ .fi
+ .RE
+ 
+.PP
+Generate ZSK keys for example.org and example.net:
+
+.PP
+.RS
+
+.nf
+$ coredns\-keygen \-zsk example.org example.net
+Kexample.org.+013+00234
+Kexample.net.+013+08728
+
+.fi
+.RE
+
+ .SH "ALSO SEE"
+ .PP
+-dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035
+-for the whole DNSSEC specification.
+dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
+ldns-key2ds(1) or similar utilities.
+
+.PP
+See RFC 4033, 4034, 4035 for the DNSSEC specification.
+ 
+-- 
+2.20.1
+
--- a/projects/coredns-utils/build
+++ b/projects/coredns-utils/build
@ -13,6 +13,9 @@ mkdir -p $GOPATH/src/github.com/coredns
 tar -C $GOPATH/src/github.com/coredns -xf [% project %]-[% c('version') %].tar.gz
 mv $GOPATH/src/github.com/coredns/coredns-utils-[% c('version') %] $GOPATH/src/github.com/coredns/coredns-utils

+cd $GOPATH/src/github.com/coredns/coredns-utils
+patch -p1 < $rootdir/ZSK.patch
+
 # TODO: Remove static build ID after migrating to Go 1.13.3+
 go install $TAGS -ldflags '-s -buildid=' github.com/coredns/coredns-utils/coredns-keygen

--- a/projects/coredns-utils/config
+++ b/projects/coredns-utils/config
@ -20,3 +20,5 @@ input_files:
    project: go
  - name: godns
    project: godns
+  - filename: ZSK.patch
+    # From https://github.com/coredns/coredns-utils/pull/4